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1. Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC 
versions. Navigate to the IMG under Shared Master Data Settings and create a Root Org as shown below: 
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v ls SAP Customizing Implementation Guide 
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2. You will need to: 


e Create User in SU01 master in GRC. 


e Run the user sync jobs in GRC. 


e NWBC - Access Management — Access Control Owners — Create an entry and select owner type as Mitigation Monitor or 


Mitigation Approver 


002 


AC_CORP 


F J 
{AC_ORG| j 


17.12.2013 


Owner Assignment : GRCTest 


User Madhu Sai 


E save ] | close | 


Group Type 
© Owner 
© Owner Group 


© LDAP Group 


Group Detail 
Owner: * GRCTEST Full Name: GRCTest 
Distribution List Name: Distribution List Email: 
DL Connector: 
Owner Type 
[Select At [Deselect an] 
Type | Description | Select 
Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles vy 
and their assignments to firefighters 
Risk Owner Risk Owners are assigned to risks and are commonly responsible for v 
approving changes to risk definitions and violations of the risk. Risk 
Owners may also receive conflicting and critical action alerts. 
Role Owner Role owners are responsible for approving either role content or v 
user-role assignment or both 
Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may Vv) 
receive control monitor alerts. 
Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for n 
approving changes to the control definition and assignments when 
workflow is enabled. 
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e NWBC- Master Data — Organization — Assign user in Owner tab. After assigning the user to the organization then user can be 
maintained as Mitigation Approver/Monitor during Mitigation Control creation workflow. 


Organizations Details 

View: Standard Hierarchy 

Date (1712203 _ A [Renove Name: AC_CORP 
Name 


v Organization Hierarchy | Organization: AC_CORP 


| e Parent Organization - D sonon 
ACO Timetrame 17.122013 Effective Date 17.122013 
[save] Corce! 
General | Sabprocess  ndrectEntty-Level Controls Regulators ; Poles  Objectves  KeyRskindicators ; UntsofMeaswe Rsk Agpette Rsk Threshols | Users 
AC Owners 
| cates Owner oast usa 17.122013 


3. Now create mitigation control from NWBC -> Setup -> Mitigation Controls -> Create 


In SP13, when we are adding actions in the reports tab, an error message pop-up as shown below. 


Control: Test MC 


O Saver; cate taies 
@ Acton a not consistent with system SEOCUNTI09 


O Sywen actor Desorption Mordor Frequency Days Updated By Upsated On 


@ Saving data failed 
@ Action is not consistent with system SECCLNT100 


Without the report the mitigation saves without issue. | am also adding the Action value by clicking F4, searching and then adding 
it. To resolve this implement SAP Note: 1902129 — Unable to save Mitigation control after adding AC Report 


Mitigation Monitor: Mitigation monitor is the one who would be checking whether mitigation is being performed. This monitoring 
can be done either manually or alerts can be sent to the monitor. “Reports” which are maintained in reports tab of mitigating 


control, will trigger an e-mail to the Mitigation approver if control monitor does not run that report with in the frequency mentioned. 


Alerts can be set through the program mentioned below by executing the Tcode GRAC_ALERT_GENERATE. 
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Program for Alert Generation 
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System Selection 


System j| o P -a 


Alert Generation 
V Conflicting and Critical Risk Alerts 
Access Risk ID to 
Access Risk Level to 
Include Mitigated Risks 
M Send Notification 


| Oy 


V Control Montor Alerts 
Control ID to fom 
Y Send Notification 


Mitigation Approver: Mitigation Approvers are assigned to controls and are responsible for approving changes to the control 
definition and assignments when workflow is enabled. In GRC 10.0 we have predefined workflow for this. We need to maintain the 
below configuration settings in SPRO. 


Below mentioned standard workflows needs to be enabled. 


MSMP Workflow Configuration 


n {+} 2 3 E Se. sas 
Process Global Settings Marten Ques Mantan Agerts Varieties & Templates Vartan Para Mant Route Macpng Generate Versions 
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SAP_GRAC_PREPIGHT_LOG_REPORT fire figtter Log Report Revew Weetew 


{ 

|i 

[ 
[ GRAC_FFLOGREPORT_MTIATOR Defaut ntisior rue 
SAP_GRAC_PUNC_APPR Functos Approval Wort fow c GRAC_PUNCAPPR_NITATOR Detaut intistor rule 
SAP_GRAC_RISK_APPR Risk Approval Werkfow (= GRAC_RISKAPPRINMATOR Detaut ntator ruie 
SAP_GRAC_ROLE_APPR Role Approval Worktiow [ GRAC_ROLEAPPR_MITATOR Defaut nestor nie 
SAP_GRAC_S00_ASK_REVEW S00 Rist Rewiew Wortfiow { GRAC RIEKREVEW_NMATOR Defaut nestor nie 
SAP_GRAC_USER_ACCESS_REVEW User Access Review Workfiow C GRAC_USERACCRVW_INTIATOR Detaut ntator rule 


Issues with Deletion of Mitigation Controls or MC assignments: 


When deleting Mitigation Controls or Mitigation control assignments, we used to a get a message task executed but deletion was 
not happening. After implementing the steps mentioned below issue was resolved. 


1.Run transaction SM30 


2. Display the view GRFNPARENT in change mode 


3. Add new line 
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5. Parent = ORGUNIT 


Mitigation Control Assignment Workflow 


In GRC we have standard SAP provided workflow for Mitigation control assignment. | have come across few queries w.r.t this 
workflow as the mitigation assignment approver is not able to view the details as the “VIEW DETAILS” button is greyed out as 
shown in below screen. 


Create Mitigation Assignment 

Assign Mitigation Controls 

| | Add || Remove }| Status «|| Vatiity Period || { Create Control =, 

Ta Approve/Reject | UserD Org Rule | Access Risk D | Description Rue D | System (ConrolD | Montor | Val From | VakiTo | Status 
[_|oroved NMANE AM2 Asset Master Data Maintenance And Invoice Processing * j FA0012  GRCTEST 21.01.2014 21.01.2015 Active 


Transport Organizational Units & Mitigation Controls 


There is no Transport Mechanism to move the Business Units/Organizational Units & Mitigation Controls 
from one Landscape to another Landscape in GRC Suite, because it is Master Data. 


There is no Download & Upload functionality available for these Controls to move from one Landscape 
to another. Organizational Units & Mitigation Controls are tied together as these are shared among 
GRC Access Controls & Process Controls. 

You need to recreate it in Destination Environment as Transport/Movement is not possible. 

When you create the Organizational Unit with the Description in GRC, the System will generate a 
unique number for Organization Unit, which will be different for each system. That was the 

reason, we need to recreate Organizational Unit in each System. 

But, Mitigating Control Assignments of User/Role/Profile/User Org/Role Org can downloaded from 

one Landscape & can upload it to another Landscape. 

Most convenient way to change existing mitigations is to use standard ABAP program for download and upload. 
Go to SA38 and use the following programs: 

GRAC_UPLOAD_MIT_ASSIGNMENTS 


GRAC_DOWNLOAD_MIT_ASSIGNMENTS 


Once you have downloaded the full list into an Excel file you can do your adjustments and upload it again. Hope this would be 
helpful. 


process oriented understanding for Mitigation control Lifecycle 
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Mitigating Control Lifecycle 
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